See inline...
Pid-2 wrote: > > Martin Gainty wrote: >> please display non-proprietary attributes of HTTPS (Port 8443 or 443) >> Connector element values from %TOMCAT_HOME%/conf/server.xml > > OP: Don't attempt to decipher or respond to the above, it's a red > herring. You could instead tell us exactly which 6.x you are using and > on which OS. > I am running in Red Hat 3.4.6-2 > > There's a couple of things that may be confusing the config below, which > have some simple corrections. > > I usually place "login.jsp" and "error.jsp" in "WEB-INF/login/", where > they are protected from unwanted attention by default - this avoids the > need to protect them with a security-contstraint. > > You are also protecting "index.jsp" - which will force a login when the > apps homepage is accessed, is this what you intended? > > Yes > > Are you logging out programmatically, using the servlet method > request.getSession().invalidate(), or are you just clearing cookies? > > I invalid the session programmatically... correct. > > Your primary problem sounds like you have placed some CSS or script > files somewhere in a protected directory and the browser is requesting > them without providing the correct authentication credentials. > > Tomcat returns the *first* file you requested inside the secured area > after authentication is completed. So for some reason your browser is > requesting a script or CSS file before the JSP page. > > Are the script and CSS files in an unprotected directory? > > youa re absolutly correct, basically the senario is like this: > basically the page is including <link rel="stylesheet" type="text/css" > href="/app1/resources-folder/style.css" /> > So the browser should apply the style to the page, but instead it outputs > the actual file to the broweser. So it should the style.css from the jsp > file. > > This scenario happens when i try to add url-pattern in security constraint > in web.xml (basically adding that module patterns as i described in first > post. > Otherwise, it works fine. > > > > p > > > > >> Disclaimer and confidentiality note >> Everything in this e-mail and any attachments relates to the official >> business of Sender. This transmission is of a confidential nature and >> Sender does not endorse distribution to any party other than intended >> recipient. Sender does not necessarily endorse content contained within >> this transmission. >> >> >> >> >>> Date: Tue, 13 Jan 2009 17:03:08 -0800 >>> From: sams...@gmail.com >>> To: users@tomcat.apache.org >>> Subject: Tomcat 6.x security-constraint redirection problem... please >>> help! >>> >>> >>> I have defined two roles (admin, user) >>> >>> <security-role> >>> <role-name>user</role-name> >>> </security-role> >>> <security-role> >>> <role-name>administrator</role-name> >>> </security-role> >>> >>> each of these roles needs to access into separate modules in my webapp. >>> For >>> achieving this, I have the following security-constraint in tomcat >>> web.xml: >>> >>> <security-constraint> >>> <web-resource-collection> >>> <web-resource-name>Authorized Access >>> Area</web-resource-name> >>> <url-pattern>/index.jsp</url-pattern> >>> <url-pattern>/login.jsp</url-pattern> >>> <url-pattern>/error.jsp</url-pattern> >>> <url-pattern>/app1/*</url-pattern> >>> <url-pattern>*.jsp</url-pattern> >>> </web-resource-collection> >>> <auth-constraint> >>> <role-name>user</role-name> >>> </auth-constraint> >>> </security-constraint> >>> >>> <security-constraint> >>> <web-resource-collection> >>> <web-resource-name>Authorized Access >>> Area</web-resource-name> >>> <url-pattern>/index.jsp</url-pattern> >>> <url-pattern>/login.jsp</url-pattern> >>> <url-pattern>/error.jsp</url-pattern> >>> <url-pattern>/app2/*</url-pattern> >>> </web-resource-collection> >>> <auth-constraint> >>> <role-name>administrator</role-name> >>> </auth-constraint> >>> </security-constraint> >>> >>> consider the following steps: >>> >>> 1. Access context/app1/app1action.jsp URL >>> 2. I get prompted for credentials >>> 3. I login as normal user, and on successful login I get redirected to >>> app1action.jsp page (desired behavior) >>> 4. Now, I clear my cache & sessions authentication from browser >>> (firefox) >>> 4. Browse into some link in app1action.jsp page pointing to some other >>> page >>> eg. context/app1/anotherpage.jsp >>> 5. Now I get prompted to relogin >>> 6. On successful login, I expect myself to get redirected to >>> 'anotherpage.jsp'. But instead it redirects me to the resources ( JS / >>> img / >>> css ) that are included with in 'anotherpage.jsp' . eg. >>> context/resources/sample.js or sample.css or sample.gif .... >>> >>> I spent googling on this issue for couple of days with no luck. >>> >>> Can you please advise how to get properly redirected ? >>> >>> ~ Many Thanks >>> >>> >>> -- >>> View this message in context: >>> http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21448079.html >>> Sent from the Tomcat - User mailing list archive at Nabble.com. >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> _________________________________________________________________ >> Windows Liveā¢: Keep your life in sync. >> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_012009 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://www.nabble.com/Tomcat-6.x-security-constraint-redirection-problem...-please-help%21-tp21448079p21465763.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org